b'\x0c                                         REPORT ON\n                                FY 2006 FISMA AUDIT OF THE\n                                 SMITHSONIAN INSTITUTION\xe2\x80\x99S\n                              INFORMATION SECURITY PROGRAM\n\n\n\n\nCotton & Company LLP\nAuditors \xc2\xb7 Advisors\n635 Slaters Lane, 4th Floor\nAlexandria, Virginia 22314\n703.836.6701\nwww.cottoncpa.com\n\x0c                                        CONTENTS\n\nSection                                                                               Page\nPurpose                                                                                1\n\nBackground                                                                             1\n\nObjectives, Scope, and Methodology                                                     2\n\nResults:                                                                               3\n\n    1. Major System Operated Without Going Through Formal Certification and            4\n       Accreditation Process\n    2. Standard Security Configuration Baselines Were Not Implemented                  4\n    3. Incident Response Policies and Procedures Lack a Training Requirement           5\n    4. Security Awareness Training Procedures Were Not Being Followed                  6\n    5. Controls Were Not Adequate to Ensure Annual Self Assessments Were Accurate      7\n       and Complete\n    6. Standard Security Configuration Baselines Were Weak                              9\n    7. Major System Security Plans Do Not Include Minimum Security Controls Section    10\n    8. Some Major System Plan of Action and Milestone Schedules Were Missing           11\n       Pertinent Data\n\n    Status of Prior-Year Recommendations                                               12\n\n    Summary of Management Response                                                     14\n\n    Office of the Inspector General Comments                                           15\n\n    Appendix A CIS Benchmark Comparison for Oracle 9i/10g                              17\n\n    Appendix B CIS Benchmark Comparison for Windows 2003 Domain Controller             18\n\n    Appendix C Full Text of Management Response                                        19\n\x0cSmithsonian Institution OIG                                             FY2006 FISMA Review\n\n                                        REPORT ON\n                               FY 2006 FISMA AUDIT OF THE\n                                SMITHSONIAN INSTITUTION\xe2\x80\x99S\n                             INFORMATION SECURITY PROGRAM\n\n\nCotton & Company LLP conducted an audit of the Smithsonian Institution\xe2\x80\x99s (Institution) security\nmanagement program and practices in accordance with Title III of the 2002 E-Government Act,\nalso known as the Federal Information Security Management Act (FISMA).\n\nPURPOSE\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the Federal\nInformation Security Management Act of 2002 was enacted to strengthen the security of federal\ngovernment information systems. Although the E-Government Act of 2002 does not apply to the\nInstitution, the Institution supports the information security practices required by the Act because\nthey are consistent with and advance the Institution\xe2\x80\x99s mission and strategic goals.\n\nFISMA outlines federal information security compliance criteria, including the requirement for an\nannual independent assessment by the Institution\xe2\x80\x99s Inspector General. This report presents the\nresults of the Smithsonian Institution\xe2\x80\x99s Office of the Inspector General (OIG) annual evaluation\nof the information security controls implemented by the Institution, based primarily on the work\nperformed by Cotton & Company LLP.\n\nBACKGROUND\n\nFISMA, Office of Management and Budget (OMB) regulations and National Institute of\nStandards and Technology (NIST) guidance outline minimum security requirements for federal\ninformation security programs. These include:\n\n    \xe2\x80\xa2   Annual System Self-Assessments. NIST\xe2\x80\x99s Security Self Assessment Guide for\n        Information Technology Systems contains specific control objectives and techniques\n        against which a system can be tested and measured. Performing a self-assessment and\n        mitigating any of the weaknesses found in the assessment is an effective way to\n        determine if the system or the information it contains is adequately secured and protected\n        from loss, misuse, unauthorized access, or modification. OMB guidelines require\n        organizations to use the NIST self-assessment tool annually to evaluate each of their\n        major systems.\n\n    \xe2\x80\xa2   Certification and Accreditation. NIST\xe2\x80\x99s Guide for the Security Certification and\n        Accreditation of Federal Information Systems states that systems should be certified and\n        accredited. A certification is \xe2\x80\x9ca comprehensive assessment of management, operational\n        and technical security controls in an information system, made in support of security\n        accreditation, to determine the extent to which the controls are implemented correctly and\n        operating as intended.\xe2\x80\x9d NIST guidance also discusses systems accreditation, which is\n        \xe2\x80\x9cthe official management decision given by a senior agency official to authorize\n        operation of an information system and to explicitly accept the risk to operations, assets,\n        or individuals based on the implementation of the agreed-upon set of security controls.\xe2\x80\x9d\n        Organizations should use the results of the certification to reassess their risks and update\n        system security plans to provide the basis for making security accreditation decisions.\n\n\n\n                                                 1\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\n    \xe2\x80\xa2   System Security Plan. NIST\xe2\x80\x99s Guide for Developing Security Plans for Federal\n        Information Systems requires that all major application and general support systems be\n        covered by a security plan. The plan provides an overview of the security requirements of\n        a system and describes controls in place or planned for meeting those requirements.\n        Additionally, the plan defines responsibilities and the expected behavior of all individuals\n        accessing the system. The NIST guide also instructs that the security plan should describe\n        the management, operational, and technical controls the organization has implemented to\n        protect the system. Among other things, these controls include user identification and\n        authentication procedures, contingency/disaster recovery planning, application software\n        maintenance, data validation, and security awareness training.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOn behalf of the OIG, Cotton & Company performed an independent audit of the Institution\xe2\x80\x99s\ninformation security management program. We conducted this audit in accordance with\nGenerally Accepted Government Auditing Standards, 2003 Revision, as amended, promulgated\nby the Comptroller General of the United States. This report is intended to meet the objectives\ndescribed below and should not be used for other purposes.\n\nThe objectives were to evaluate and report on the effectiveness of the Institution\xe2\x80\x99s information\nsecurity program and practices by:\n\n    \xe2\x80\xa2   Reviewing existing system security plans, policies, and procedures for compliance with\n        applicable laws and regulations.\n\n    \xe2\x80\xa2   Determining if mission-critical systems and interfaces across the Institution have been\n        identified in the system inventory.\n\n    \xe2\x80\xa2   Identifying new systems or systems significantly modified during the year and\n        determining if they were certified and accredited.\n\n    \xe2\x80\xa2   Determining if system categorizations comply with guidance identified in Federal\n        Information Processing Standard (FIPS) 199, Standards for Security Categorization of\n        Federal Information and Information Systems.\n\n    \xe2\x80\xa2   Reviewing major application and general support system self-assessments performed by\n        system owners.\n\n    \xe2\x80\xa2   Assessing the effectiveness of procedures for mitigating system deficiencies through the\n        Plan of Action and Milestone (POA&M) process.\n\n    \xe2\x80\xa2   Determining the completeness of disaster recovery plans, particularly for the Institution\xe2\x80\x99s\n        general support system (SInet).\n\n    \xe2\x80\xa2   Completing the OIG FISMA template in accordance with Section C of the OMB\xe2\x80\x99s\n        Memorandum M-06-20, dated July 17, 2006.\n\n\n\n\n                                                 2\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\nTo accomplish these objectives, we evaluated the Institution\xe2\x80\x99s security program, plans, policies,\nand procedures in place as of August 31, 2006, for compliance with applicable federal laws and\nregulations including specific guidance issued by OMB and NIST. Our audit included a high-\nlevel review of each of the Institution\xe2\x80\x99s 18 major systems and more detailed steps to evaluate the\nInstitution\xe2\x80\x99s policies, procedures, and practices for:\n\n    \xe2\x80\xa2   Certification and accreditation,\n    \xe2\x80\xa2   POA&M,\n    \xe2\x80\xa2   Security awareness training,\n    \xe2\x80\xa2   Technical security training, and\n    \xe2\x80\xa2   Incident response.\n\nAdditionally, we evaluated management actions completed through August 31, 2006, to address\nrecommendations contained in the OIG\xe2\x80\x99s FY 2005 FISMA evaluation, Report No. M-05-03,\nissued February 16, 2006.\n\nOur audit was based on detailed interviews with Office of the Chief Information Officer (OCIO)\npersonnel and major system owners or sponsors. We reviewed policies, procedures, and practices\nfor compliance with NIST and OMB guidance and, where possible, tested the Institution\xe2\x80\x99s\npolicies, procedures, and controls for effectiveness.\n\nRESULTS\n\nOur audit of the Institution\xe2\x80\x99s security management program and practices determined that while\nprogress has been made in complying with requirements identified by FISMA, significant work is\nstill necessary to ensure adequate controls are in place and operating effectively. The Institution\nmade notable progress in addressing prior year weaknesses. Of the 9 recommendations in the\nOIG\xe2\x80\x99s FY2005 FISMA evaluation report, 7 were closed in FY2006 and 1 in December 2006.\nSpecific areas where the Institution made progress include:\n\n    \xe2\x80\xa2   Updating the Institution\xe2\x80\x99s system inventory to include system interfaces,\n    \xe2\x80\xa2   Developing and testing disaster recovery plans,\n    \xe2\x80\xa2   Establishing an interconnection agreement with the Smithsonian Astrophysical\n        Observatory (SAO),\n    \xe2\x80\xa2   Including completed items on the POA&Ms for one year after the completion date,\n    \xe2\x80\xa2   Updating security plans based on changes to security configuration checklists, major\n        system and operating environment changes, and the results of annual self-assessments,\n    \xe2\x80\xa2   Completing self-assessments by mid-August 2006, and\n    \xe2\x80\xa2   Certifying and accrediting systems affected by moving the data center to Herndon.\n\nThe one remaining recommendation concerning specialized IT security training has not been\nclosed. Currently, project managers are the only personnel with completed plans. Training plans\nare being developed for network staff, IT project managers, and security staff. In addition, the\nOffice of Human Resources (OHR) has developed a database that contains fields for recording\ncourse titles, hours, and completion dates; however, there is no implemented process or\nrequirement for users to report training to OHR or OCIO for more formal tracking.\n\nIn addition, we noted that OCIO has thoroughly developed and documented IT policies and\nprocedures. However, due to the Institution\xe2\x80\x99s decentralized IT environment, the implementation\nand enforcement of these policies and procedures has been limited or inconsistent. Without the\ncentralization of IT operations and the assignment of responsibility within OCIO for ensuring\nInstitution policy and procedures are being followed, management cannot ensure adequate\n\n                                                 3\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\ncontrols are in place. More control and oversight of IT operations should reside with OCIO, with\nthe sole exception of the OIG, which must remain independent.\n\nThe following is a more detailed discussion of the weaknesses we found in our FY 2006 FISMA\naudit as well as 12 recommendations for strengthening management controls over the Institution\xe2\x80\x99s\ninformation security program. We present our findings in the order of greatest risk to the system.\n\nMajor System Operated Without Going Through Formal Certification and\nAccreditation Process\n\nControls were not adequate to ensure that all the Institution\xe2\x80\x99s major applications have gone\nthrough a timely, formal certification and accreditation (C&A) process and received authorization\nfor processing before being placed in production. Although OCIO has made significant progress\nin certifying and accrediting their major applications, we determined the C-Cure badging system\n(badging system) currently in production had not received official certification and accreditation\nto operate as of August 31, 2006. OCIO identified the badging system as a major application in\nthe beginning of FY 2006 and stated that they were in the process of certifying and accrediting\nthe system. We followed up with OCIO and determined the badging system received interim\napproval to operate on October 30, 2006 and full accreditation on November 16, 2006 after\nremediation of identified weaknesses.\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\nB. Descriptive Information; b. Controls for Major Applications, (4) Authorize Processing, states:\n\n        \xe2\x80\xa6The application must be authorized prior to operating and re-authorized at least\n        every three years thereafter. Management authorization implies accepting the risk\n        of each system used by the application.\n\nThe C&A process is intended to identify and mitigate system weaknesses to an acceptable level\nbefore placing it into production. Without going through the C&A process, individuals\nresponsible for managing the badging system could not reasonably ensure that it and related data\nwere not subject to unacceptable levels of risk.\n\nRecommendation\n\n  1.    We recommend that the CIO develop and put in place Institution-wide controls to ensure\n        that major applications are not placed into production before going through a formal\n        certification and accreditation process and receiving formal authorization to operate.\n\nStandard Security Configuration Baselines Were Not Implemented\n\nControls are not adequate to ensure standard security configuration baselines have been\nimplemented on major applications in accordance with Institution policy. Specifically, IT-960-\nTN16, Baseline & Configuration Management of Application, Database, and Web Servers\nsection I., states:\n\n        System owners must use established OCIO baseline build documents and obtain\n        the appropriate approvals prior to installing or updating the operating system for\n        application, database, and web servers to be placed on SInet.\n\nStandard security configuration baselines (baseline build documents) document the recommended\nsecurity settings which should be implemented on a platform such as Oracle or Windows. OCIO\n\n\n                                                 4\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\ndeveloped and documented their standard security configuration baselines for system sponsors to\nimplement; however, we determined these baselines have not been implemented for all major\nsystems.\n\nFor example, our audit of the Development and Membership Information System (DMIS) major\napplication noted that baselines for the Oracle database and Windows operating system have not\nbeen implemented. Management has identified this weakness in the DMIS POA&M; however\ntarget dates for implementing baselines are not until sometime in 2007.\n\nIn addition, our audit of the Institution\xe2\x80\x99s SInet Windows Domain Controller noted that the\nInstitution\xe2\x80\x99s Windows 2003 baseline has not been implemented on the domain controller even\nthough OCIO is responsible for implementing and maintaining this server. IT-960-TN16, states:\n\n        Any network or application server attaching to SInet will comply with the\n        approved baseline configuration specified in this technical note\xe2\x80\xa6 Deviations\n        from the approved configurations will require a waiver from the Chief\n        Information Officer.\n\nIT-960-TN16 I., Section 3 Responsibilities I. System Owners, states:\n\n        System owners must use established OCIO baseline build documents and obtain\n        the appropriate approvals prior to installing or updating the operating system for\n        application, database, and web servers to be placed on SInet\xe2\x80\xa6 Formally review\n        their server configuration files twice a year; or when there are major changes\n        requiring an update to this technical note (including its appendices) and\n        individual system configuration documents.\n\nWithout adequate controls in place to ensure that configuration baselines are developed and put in\nplace over the Institution\xe2\x80\x99s major information systems, the confidentiality, availability, or\nintegrity of Institution systems and related data may be at greater risk than management is willing\nto accept.\n\nRecommendation\n\n  2.    We recommend that the CIO establish procedures to ensure existing policies requiring the\n        use of standard baselines are implemented and enforced.\n\nIncident Response Policies and Procedures Lack a Training Requirement\n\nControls were inadequate to ensure that personnel with significant incident response roles and\nresponsibilities understood and were capable of carrying out the Institution\xe2\x80\x99s incident response\npolicies and procedures. Specifically, we noted that none of the key incident response personnel\nwithin OCIO had received training on the Institution\xe2\x80\x99s documented incident response policy and\nprocedures. Additionally, we noted that the Institution\xe2\x80\x99s incident response policy does not\nspecifically require incident response training or annual refresher training for key personnel.\n\nNIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\nTechnology Systems, Section 3.7.2, Characteristics, Educated Constituency, states:\n\n        Users need to know about, accept, and trust the incident handling capability or it\n        will not be used. Through training and awareness programs, users can become\n\n\n\n                                                 5\n\x0cSmithsonian Institution OIG                                             FY2006 FISMA Review\n\n        knowledgeable about the existence of the capability and how to recognize and\n        report incidents.\n\nIn addition, NIST SP 800-53, Recommended Security Controls for Federal\nInformation Systems, IR-2, Incident Response Training, states:\n\n        The organization trains personnel in their incident response roles and\n        responsibilities with respect to the information system and provides refresher\n        training at least annually.\n\nWithout periodic incident response training for key personnel, management cannot ensure that\nincidents will be handled according to the Institution\xe2\x80\x99s policy and not result in greater damage to\nthe Institution\xe2\x80\x99s systems than would have occurred if personnel had been appropriately trained.\n\nRecommendation\n\n  3.    We recommend that the CIO conduct incident response training for individuals with\n        significant incident response roles and conduct periodic refresher training at least\n        annually.\n\nSecurity Awareness Training Procedures Were Not Being Followed\n\nControls were not adequate to ensure employees completed security awareness training in\naccordance with Institution policy IT-930-02, Security Controls Manual section 3.2.2.1 On-line\ntraining, which states:\n\n        All employees, volunteers, interns, visiting scholars, and contractor personnel\n        who use the Institution\xe2\x80\x99s computers and networks must complete computer\n        security awareness training annually. Directors of each museum, research center,\n        or office will ensure that new employees, volunteers, interns, visiting scholars\n        and contractor personnel complete the course within 30 days after beginning\n        work and that each user completes the online computer security awareness\n        tutorial annually.\n\nWe identified 13 new network users who were granted network access between July 9 and 20,\n2006. Of the 13, four did not complete online awareness training within the required 30-day\nperiod. In addition, we randomly selected 45 individuals after September 30th to determine\nwhether they had completed annual security awareness training. Of the 45 individuals selected,\nwe identified 3 who had not completed annual security awareness training.\n\nResponsibility for ensuring that Institution personnel attend security awareness training is\nassigned at the unit, museum, research center, or office director level. Although OCIO reviews\nattendance at the end of the year to ensure individuals have completed training and sends\nreminders to each unit reminding them to take training, we noted that responsibility for ensuring\nnew employees complete training within the required 30-day period has not been assigned to an\nindividual within OCIO.\n\nAdditionally, we determined OCIO has not specifically defined consequences for non-compliance\nwith the Institution\xe2\x80\x99s security awareness training policy. OCIO has withheld computer hardware\npurchase authority from units in the past; however, this type of penalty is not defined in their\npolicy.\n\n\n\n                                                 6\n\x0cSmithsonian Institution OIG                                              FY2006 FISMA Review\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, states\nthat agencies must \xe2\x80\x9c\xe2\x80\xa6ensure that all individuals are trained in how to fulfill their security\nresponsibilities before allowing them access to the system.\xe2\x80\x9d In addition, NIST Special Publication\n(SP) 800-50, Building an Information Security Awareness and Training Program states:\n\n        Federal agencies and organizations cannot protect the confidentiality, integrity,\n        and availability of information in today\xe2\x80\x99s highly networked systems environment\n        without ensuring that all people involved in using and managing IT:\n\n        \xe2\x80\xa2       Understand their roles and responsibilities related to the organization\xe2\x80\x99s mission;\n        \xe2\x80\xa2       Understand the organization\xe2\x80\x99s IT security policy, procedures, and practices; and\n        \xe2\x80\xa2       Have at least adequate knowledge of the various management, operational, and\n                technical controls required and available to protect the IT resources for which\n                they are responsible.\n\nFurther, NIST SP 800-50 states:\n\n        As cited in audit reports, periodicals, and conference presentations, it is generally\n        understood by the IT security professional community that people are one of the\n        weakest links in attempts to secure systems and networks. The \xe2\x80\x9cpeople-factor\xe2\x80\x9d\n        not technology is key to providing an adequate and appropriate level of security.\n        \xe2\x80\xa6 A robust and enterprise wide awareness and training program is paramount to\n        ensuring that people understand their IT security responsibilities, organizational\n        policies, and how to properly use and protect the IT resources entrusted to them.\n\nSecurity awareness training is the primary vehicle for communicating the agency\xe2\x80\x99s security\npolicies, procedures, practices, and the expected behaviors of employees and contractors. Without\neffective security awareness training, management\xe2\x80\x99s ability to communicate the agency\xe2\x80\x99s security\npolicies and procedures is minimized, and the risk of unauthorized activities taking place by\nemployees or contractors can increase.\n\nRecommendations\n\nWe recommend that the CIO:\n\n  4.    Develop, document, and implement procedures to enforce Institution policy requiring\n        individuals to complete security awareness training within 30 days of being granted a\n        SInet account and annually thereafter.\n\n  5.    Identify, document, and enforce consequences of noncompliance (such as revoking\n        access to SInet until training is completed) with the Institution\xe2\x80\x99s security awareness\n        training policy.\n\nControls Were Not Adequate to Ensure Annual Self-Assessments Were Accurate and\nComplete\n\nControls were not adequate to ensure that annual self-assessments were accurate, complete and in\naccordance with Institution policy for all major Institution systems. Specifically, we determined\nthat a self-assessment was not completed for the Institution\xe2\x80\x99s badging system, which was\n\n\n\n\n                                                  7\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\nidentified as a major application in early 2006. OCIO stated they (OCIO in conjunction with the\nsystem sponsor) were in the process of completing the initial certification and accreditation for\nthe system and were therefore not requiring a self-assessment be completed by the system\nsponsor. As of August 2006, OCIO\xe2\x80\x99s certification and accreditation effort had not been\ncompleted. Further, our review of completed self assessments noted that none of the system\nsponsors produced or retained supporting documentation during their assessments.\n\nIT-930-01, AIS Security Planning, Section 6.2, Periodic Re-Analysis of AIS Security, states\n\xe2\x80\x9c\xe2\x80\xa6Each system sponsor is required to annually complete a Self Certification review using NIST\nSP 800-26\xe2\x80\xa6 The Computer Security Manager will review the Self Certification by July 30th.\xe2\x80\x9d\n\nNIST SP 800-26 section 3. Questionnaire Structure states:\n\n        After each question, there is a comment field and an initial field. The comment field\n        can be used to note the reference to supporting documentation that is attached to the\n        questionnaire or is obtainable for that question... Additionally, the section may\n        reference supporting documentation on how the control objectives and techniques\n        were tested and a summary of findings.\n\nAdditionally, our testing identified specific instances where responses documented on self-\nassessments were inaccurate. We noted the following issues:\n\n\xe2\x80\xa2   SInet 800-26, Section 4.1.3, indicated that rules of behavior have been established and signed\n    by users and integrated within the system. We selected a random sample of 45 users to\n    determine whether they had signed rules of behavior. Of the 45, management could only\n    provide us with 5 signed copies. (See companion SInet Audit Report, Number A-06-07)\n\n\xe2\x80\xa2   SInet 800-26, Section 6.1.8, identified a process for requesting, establishing, issuing, and\n    closing user accounts and noted that the self-assessment response indicated the control has\n    been tested and integrated into the system. However, we selected a random sample of 45\n    SInet user accounts to test and identified the following:\n\n    \xc2\x83   Network accounts are not being promptly disabled or deleted after a period of inactivity.\n        Out of 12,053 SInet active accounts, 3,359 (28%) have not been used in more than 180\n        days.\n    \xc2\x83   Network accounts are not being promptly deleted when users leave the Institution. We\n        selected a random sample of 45 individuals who had recently resigned and noted that 16\n        of the 45 individuals were still identified as active on the network. (See Audit Report\n        Number A-06-07)\n\n\xe2\x80\xa2   SInet 800-26, Section 15.1.6, indicated that passwords were changed at least every 90 days or\n    earlier, and this control was tested and integrated into the system. In our SInet report (see\n    Audit Report Number A-06-07), we noted that passwords were not being consistently\n    changed within 90 days.\n\n\xe2\x80\xa2   Visitor Count Management System (VCMS) Section 6.1.8 indicates that procedures have\n    been developed, implemented, tested, and integrated; however our review of the VCMS\n    POA&M noted this control was also reported as a weakness.\n\n\n\n\n                                                 8\n\x0cSmithsonian Institution OIG                                              FY2006 FISMA Review\n\nWe were informed during our audit that although OCIO offered a 2-day course (not mandatory)\non completing the NIST SP 800-26 self-assessments, system sponsors did not attend this training.\nIn addition, because self-assessments were not provided to OCIO until early in August, OCIO did\nnot sufficiently review the assessments before providing them to the auditor.\n\nWithout adequate knowledge or guidance on how to accurately complete annual self-assessments,\nmanagement cannot be sure that self-assessments are effectively providing assurance that new\nrisks have not been introduced into the production environment that it would be unwilling to\naccept if identified.\n\nRecommendations\n\nWe recommend that the CIO:\n\n  6.    Comply with Institution policy by reviewing annual self-assessments to ensure they are\n        completed accurately and require system sponsors to produce and retain adequate\n        documentation to support conclusions made.\n\n  7.    Require system owners to attend training provided by OCIO on completing self\n         assessments.\n\nStandard Security Configuration Baselines Were Weak\n\nAlthough OCIO went through a detailed process to develop and document their standard security\nconfiguration baselines, we noted these baselines did not address many security configuration\nsettings identified in industry-accepted security configuration baselines. OMB Memorandum\nM-06-20, FY2006 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, Section 18, identifies what are minimally acceptable system\nconfiguration requirements and where they may be located:\n\n        Security configuration checklists are now available for computer software widely\n        used within the Federal Government. The checklists may be found on the NIST\n        Computer Security Division website as well as the NSA System and Network\n        Attack Center website. OMB expects agencies to use the published\n        configurations or be prepared to justify why they are not doing so. Inspectors\n        General should review such use.\n\nSpecifically, we compared the Institution\xe2\x80\x99s Windows 2003 and Oracle baselines to the Center for\nInternet Security\xe2\x80\x99s (CIS) respective baselines and noted specific areas the Institution\xe2\x80\x99s baselines\ndid not address. (See Appendixes A and B for comparisons)\n\nThrough discussions with OCIO we determined the Institution developed their own baselines and\nremoved configuration settings or controls which they determined did not need to be\nimplemented or were not applicable to Institution systems. Because baselines should show\nmanagement\xe2\x80\x99s risk-based consideration for all controls applicable to a platform such as Windows\nor Oracle, industry best practices are to include all security settings in a baseline and specifically\ndocument on the baseline the reason why certain controls were not implemented.\n\nWithout a comprehensive baseline for system sponsors to use in securing their system,\nmanagement cannot be sure all necessary security settings have been adequately addressed or\nimplemented.\n\n\n\n                                                  9\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\nRecommendations\n\nWe recommend that the CIO:\n\n  8.    Consider adopting industry-accepted baselines, such as those offered by NIST, the\n        National Security Agency (NSA), or CIS. If OCIO decides to use their own baselines, we\n        recommend OCIO compare them to industry-accepted baselines and update them where\n        necessary to ensure the Institution\xe2\x80\x99s baselines address all known configuration options.\n\n  9.    Update Institution policy and procedures to require system sponsors to document on\n        implemented baselines those controls which management has chosen not to implement\n        for valid business reasons.\n\nMajor System Security Plans Do Not Include Minimum Security Controls Section\n\nControls were inadequate to ensure that the Institution\xe2\x80\x99s major system security plans included\ninformation required by Institution, OMB, and NIST guidance. The Institution\xe2\x80\x99s IT-930-01,\nSection 2, Concept and Requirements Definition Phase, states:\n\n        The Project Manager prepares the AIS Security Plan, which is the repository for\n        all security-planning documents generated during the life cycle.\n\nOCIO has a standard template documented in IT-930-01, Appendix B, for project managers to\nuse when developing system security plans. This security plan template includes 13 sections. We\nnoted two of the Institution\xe2\x80\x99s system security plans [National Air and Space Museum (NASM)\nand National Museum of American History Multi MIMSY Collection Information System\n(MIMSY CIS)] did not include the minimum security controls section. Without inclusion of the\nminimum security controls in the security plan, specific control areas required by OMB A-130,\nAppendix III, were not addressed. The OMB A-130 controls not addressed included:\n\n        \xe2\x80\xa2       Rules of Behavior\n        \xe2\x80\xa2       Specialized Training\n        \xe2\x80\xa2       Personal Security\n        \xe2\x80\xa2       Incident Response Capability\n        \xe2\x80\xa2       Contingency Planning\n        \xe2\x80\xa2       Technical Security\n        \xe2\x80\xa2       Public Access Controls\n\nIn addition, our review of the DMIS security plan noted that minimum security controls were\ndocumented although these controls were not included in or referenced to in the system security\nplan (see companion DMIS Audit Report Number A-06-08). NIST SP 800-18 Guide for\nDeveloping Security Plans for Federal Information Systems section 1.4 states:\n\n        The purpose of system security plans is to provide an overview of the security\n        requirements of the system and describe the controls in place or planned for meeting\n        those requirements.\n\nWithout inclusion of or reference to all documented controls in the system security plan, the risk\nof security policies and procedures not being followed or in place and operating effectively\nincreases.\n\n\n\n\n                                                10\n\x0cSmithsonian Institution OIG                                              FY2006 FISMA Review\n\nA lack of adequate controls in place to verify that security plans are being developed,\ndocumented, and approved in accordance with Institution, OMB, and NIST policy also increases\nthe risk that controls over major systems have been inadequately identified and tested.\n\nRecommendation\n\n  10.   We recommend that the CIO require system sponsors to update system security plans for\n        NASM and MIMSY CIS to comply with IT-930-01 guidance.\n\nSome Major System Plan of Action and Milestone Schedules are Missing Pertinent Data\n\nOMB Circular A-11 Part 7 states:\n\n        As defined in OMB Memorandum 02-01, a plan of action and milestones (POA&M),\n        also referred to as a corrective action plan, is a tool that identifies tasks that need to be\n        accomplished. It details resources required to accomplish the elements of the plan, any\n        milestones in meeting the task, and scheduled completion dates for the milestones. The\n        purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing, and\n        monitoring the progress of corrective efforts for security weaknesses found in programs\n        and systems.\n\nThe Institution has developed and implemented a POA&M process. POA&Ms are consistently\ndeveloped for each of the Institution\xe2\x80\x99s major applications and sent to the CIO for inclusion in the\nInstitution-wide POA&M. However, our review of completed POA&Ms for major systems noted\nthat many are missing information required by IT-930-01, Automated Information System (AIS)\nSecurity Planning Technical Standard & Guidelines and OMB Memorandum M-02-01, Guidance\nfor Preparing and Submitting Security Plans of Action and Milestones. Specifically, we noted the\nfollowing issues with the Institution\xe2\x80\x99s major system POA&Ms:\n\n\xe2\x80\xa2 Financial Management System (FMS), Travel Management System (TMS), and Visitor\n  Count Management System (VCMS) - Scheduled completion date for each milestone was not\n  identified.\n\n\xe2\x80\xa2 SInet and Smithsonian Astrophysical Observatory Scientific Computing System (SAO) -\n  Scheduled Completion Date states \xe2\x80\x9cTBD\xe2\x80\x9d, and there is no \xe2\x80\x98Status\xe2\x80\x99 column.\n\n\xe2\x80\xa2 Art Collection Information System (ARTCIS) \xe2\x80\x93 There is no column for \xe2\x80\x9cStatus.\xe2\x80\x9d\n\nWithout adequate controls to ensure required information is included in the POA&M,\nmanagement\xe2\x80\x99s ability to track and effectively mitigate known weaknesses in a timely manner is\ndiminished.\n\nRecommendations\n\nWe recommend that the CIO:\n\n  11.   Require system sponsors for the ARTCIS, SAO, VCMS, and SInet systems to update\n        their POA&Ms to include all information required by IT-930-01.\n\n  12.   Periodically review POA&Ms to ensure that they meet criteria identified in IT-930-01\n        and OMB Memorandum M-02-01.\n\n\n\n                                                  11\n\x0cSmithsonian Institution OIG                                                                                           FY2006 FISMA Review\n\nStatus of Prior-Year Findings and Recommendations (FY 2005 FISMA evaluation, Report No. M-05-03)\n\n                  Prior Year Finding                                    Recommendation                                         Status\n System Inventory Does Not Identify All of the      We recommend the CIO identify and include all system           Closed\n Institution\xe2\x80\x99s Mission-Critical System Interfaces   interfaces, including those that transfer sensitive data, in\n                                                    its major system inventory to comply with FISMA                3/23/2006\n                                                    reporting requirements.\n Certification and Accreditation Process Needs      We recommend that the CIO require units to update              Closed\n Improvement - Security Plans for the 14 Major      system security plans based on changes to security\n Systems Were Not Updated                           configuration checklists, major system and operating           6/6/2006\n                                                    environment changes, and the results of annual self-\n                                                    assessments.\n Certification and Accreditation Process Needs      We recommend that the CIO develop a separate disaster          Closed\n Improvement \xe2\x80\x93 Systems are Operating without        recovery plan for the National Postal Museum\xe2\x80\x99s\n Finalized Disaster Recovery Plans                  collection information system and finalize the draft           3/23/2006\n                                                    disaster recovery plans for the six major applications\n                                                    discussed in this report.\n Certification and Accreditation Process Needs      We recommend that the CIO work with Harvard                    Closed\n Improvement \xe2\x80\x93 SAO Operates on a Non-               University and SAO to establish an interconnection\n Smithsonian System Without an Interconnection      agreement between the Smithsonian and Harvard                  6/14/2006\n Agreement.                                         University for the SAO Scientific Computing System as\n                                                    required by NIST\xe2\x80\x99s \xe2\x80\x9cSecurity Guide for Interconnecting\n                                                    Information Technology Systems\xe2\x80\x9d.\n Certification and Accreditation Process Needs      We recommend that the CIO ensure that the general              Closed\n Improvement \xe2\x80\x93 Significant System Changes           support system and affected major applications are\n Occurred with No Reaccreditation.                  reaccredited after the primary data center and general         9/29/2006\n                                                    support system are relocated to Herndon, Virginia, and\n                                                    establish a process for ensuring that all major systems\n                                                    are reaccredited when significant changes occur in\n                                                    systems and/or their operating environment, in\n                                                    accordance with NIST guidance.\n\n\n\n\n                                                                         12\n\x0cSmithsonian Institution OIG                                                                                        FY2006 FISMA Review\n\n\nSpecialized IT Security Training Not Provided to   We recommend that the CIO require that employees             Open\nAll Employees with Significant Computer Security   who have significant computer responsibilities report\nResponsibilities.                                  their plans for meeting the specialized training             Target 01/31/2007\n                                                   requirements at the beginning of the fiscal year, and\n                                                   monitor employee progress during the year to ensure          Training plans have not been\n                                                   that training is completed.                                  created for all personnel.\n                                                                                                                Currently, curriculums are\n                                                                                                                being developed for network\n                                                                                                                staff, IT project managers,\n                                                                                                                and security staff. Project\n                                                                                                                managers are the only\n                                                                                                                personnel with completed\n                                                                                                                plans.\n\nSpecialized IT Security Training Not Provided to   We recommend that the CIO ensure, either through             Closed\nAll Employees with Significant Computer Security   OCIO\xe2\x80\x99s current tracking process or the Human\nResponsibilities. (Continued)                      Resources Management System, that in FY 2006                 12/21/2006\n                                                   individuals identify course titles, hours, and completion\n                                                   dates of specialized IT training to provide assurance that\n                                                   NIST training requirements are satisfied.\nImprovements Needed to Facilitate the Annual       We recommend the CIO keep completed items in the             Closed\nFISMA Evaluation Process \xe2\x80\x93 Completed Action        action plan for one year after they have been fully\nPlan Items Need to be Retained for a Minimum of    mitigated.                                                   3/23/2006\nOne Year.\nImprovements Needed to Facilitate the Annual       We recommend that the CIO ensure self-assessments are Closed\nFISMA Evaluation Process \xe2\x80\x93 Self-Assessments.       completed and available no later than July 30, of each\n                                                   year.                                                  9/29/2006\n\n\n\n\n                                                                       13\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\nSummary of Management Response\n\nManagement\xe2\x80\x99s March 27, 2007, response to our draft report generally concurred with 11 of our\n12 recommendations to strengthen the effectiveness of the Institution\xe2\x80\x99s information security\nprogram and practices. OCIO agreed that work remains to be done but indicates that efforts to\nfurther improve IT security are complicated by limited resources as well as changing OMB and\nNIST guidance. OCIO stated that successful completion of some of the recommendations will\nrequire resources not currently budgeted for in OCIO. Management disagreed with our\nrecommendation to ensure that major applications were certified and accredited before being\nplaced into production and receiving a formal authorization to operate because it maintains that it\nalready has adequate safeguards in place.\n\nManagement\xe2\x80\x99s planned actions are summarized below:\n\nRecommendation 1. Non-concur. OCIO believes that adequate controls are in place to ensure\nthat major applications are not placed into production before going through a certification and\naccreditation (C&A) process. All Major Applications are required to participate in the Technical\nReview Board (TRB) process and as part of this process C&A is required.\n\nRecommendation 2. Concur. OCIO will draft procedures by September 30, 2007 to ensure\nexisting policies requiring the use of standard baselines are implemented and enforced.\n\nRecommendation 3. Concur. OCIO indicates that this training was conducted on September 18,\n2006, where key incident response staff were involved in running several incident response\nscenarios.\n\nRecommendation 4. Concur. OCIO will draft and implement procedures by July 31, 2007 to\nenforce Institution policy requiring individuals to complete security awareness training within 30\ndays of being granted an SI network account.\n\nRecommendation 5. Concur. OCIO will modify the Institution\xe2\x80\x99s policy to include consequences\nfor noncompliance to the annual requirement for security awareness training by July 31, 2007.\n\nRecommendation 6. Concur. By July 31, 2007, OCIO plans to rescind its policy requiring self-\nassessments, which will no longer be required by NIST. Instead, NIST will require annual\nassessments of selected controls in accordance with SP 800-53a, and OCIO has agreed to comply\nwith the NIST guidance.\n\nRecommendation 7. Concur. OCIO has chosen to withdraw the requirement for annual self-\nassessments under NIST SP 800-26. According to NIST guidance, SP 800-26 is to be replaced by\nSP 800-53a, which will require annual assessments of selected controls. Therefore, OCIO\nbelieves that training on completing self assessments would not be required.\n\nRecommendation 8. Partial concurrence. OCIO agreed to review its baselines and compare them\nto newer industry accepted baselines, identify deviations, and document the differences by\nSeptember 30, 2007. OCIO also agreed to review its baseline annually.\n\nRecommendation 9. Concur. The CIO agreed to update Institution policy and procedures to\nrequire that system sponsors document on baselines those controls that management chose not to\nimplement by July 31, 2007.\n\n\n\n\n                                                14\n\x0cSmithsonian Institution OIG                                              FY2006 FISMA Review\n\nRecommendation 10. Concur. OCIO will update security plans during the 2007 recertification\nand reaccreditation process to ensure that minimum security controls are in place in accordance\nwith the current version of IT 930-01.\n\nRecommendation 11. Concur. OCIO stated that POA&M\xe2\x80\x99s have been updated to include all\ninformation required by IT-930-01.\n\nRecommendation 12. Concur. OCIO stated that all POA&Ms have been updated to include\nscheduled completion date and status. OCIO will ensure in periodic reviews, and no less than\nannually, that the POA&Ms meet relevant criteria.\n\nThe full text of management\xe2\x80\x99s response is included in Appendix C.\n\nOffice of the Inspector General Comments\n\nManagement\xe2\x80\x99s planned actions for recommendations 2 through 5, and 8 through 12, respond to\nthe intent of our recommendations and we consider them resolved. Regarding planned actions for\nrecommendations 6 and 7 on self-assessments, we note that while NIST SP 800-26 will likely be\nrescinded, there will be a replacement for it in SP 800-53a that requires annual assessments be\nconducted on selected controls. Therefore, the CIO needs to ensure that the annual assessments\nare accurate, complete, and properly supported as well as that individuals involved in conducting\nassessments are properly trained. With the understanding and expectation that OCIO will fully\nimplement the anticipated guidance on annual assessments, we consider recommendations 6 and\n7 resolved.\n\nIn evaluating management\xe2\x80\x99s response to this report, we held several discussions with the IT\nSecurity Director in an effort to clarify and resolve areas of disagreement. The only\nrecommendation we could not ultimately reach resolution on is recommendation 1 on ensuring\nmajor applications are not placed into production before going through a formal C&A process.\nWe agree with OCIO that once a system is identified as \xe2\x80\x9cmajor,\xe2\x80\x9d the process of going through the\nTechnical Review Board and certifying and accrediting the system before production is a sound\none. However, the primary criterion for identifying systems as major was whether it was listed on\nan OMB Exhibit 300. As a consequence, OCIO did not certify and accredit smaller, less\nexpensive, but in our view not necessarily less important systems such as Badging, VCMS, and\nDMIS. Recently, because these systems have either been upgraded or the data was subsequently\nrecognized as sensitive they were re-categorized as major and OCIO has subjected them to the\ncertification and accreditation process.\n\nWe are concerned that the Institution relies on other IT systems that contain sensitive, mission-\ncritical data at the unit level but that have not been placed through the rigors of a certification and\naccreditation process because these smaller system applications have not required expenditures\nthat would require them to be listed on an Exhibit 300. For example, there are systems at the\nNational Zoological Park such as the Animal Records Keeping System, Medical Animal Records\nSystem, and the Single Population Animal Records Keeping System, that were never identified as\nmajor systems, yet we believe the information contained in these systems is mission-critical to the\nZoo and the health and welfare of the animals. Also, the Office of Protection Services operates\nthe NACIS database application system, which is critical for documenting and tracking the status\nof employee and contractor background investigations and suitability determinations. This\nimportant system has known weaknesses and is difficult to support. In our view, the methodology\nOCIO uses to identify major systems does not sufficiently consider risk or magnitude of harm\nresulting from the loss, misuse, or unauthorized access to or modification of the information in\n\n\n\n                                                  15\n\x0cSmithsonian Institution OIG                                            FY2006 FISMA Review\n\nthese smaller IT applications. The new CIO has an opportunity to reexamine the inventory of the\nInstitution\xe2\x80\x99s IT systems and determine whether other smaller applications should be placed\nthrough a certification and accreditation process because they process sensitive data related to\nsecurity, personnel, safety, or health. We will continue to hold discussions with OCIO to work\ntoward a resolution on this issue.\n\nWe appreciate the courtesy and cooperation of Smithsonian representatives during this\nevaluation. If you have any questions concerning this report, please call me, or Stuart Metzger at\n(202) 633-7050.\n\n\n\n\n                                                16\n\x0c           Smithsonian Institution OIG                                                FY2006 FISMA Review\n\n\n           Appendix A\n\n           Appendix A documents our comparison of the Institution\xe2\x80\x99s Oracle 9i/10g baseline to an industry-accepted\n           Oracle baseline. Where the Institution\xe2\x80\x99s baseline does not address controls in the industry-accepted\n           baseline we noted a deficiency.\n\n           Note \xe2\x80\x93 The controls columns identify how many controls each baseline addresses in each focus area.\n\nCIS Benchmark for Oracle 9i/10g Ver 2.0              Smithsonian OCIO: Security Settings for Oracle Servers\n#     Area of Focus                Controls          Deficiencies                                                 Controls\n1     Operating System (OS)             20           Only covers a few settings at the OS level, missing the          3\n      Settings                                       majority of OS controls or a reference to an OS baseline.\n2     Installation and Patch            14           Only covers a few settings regarding installation and            4\n                                                     patch management.\n3     Oracle Directory and File             31       Does not cover OS level permissions in detail and does           0\n      Permissions                                    not cover modifications to key files init.ora, listener.ora,\n                                                     and sqlnet.ora.\n4     Oracle Parameter Settings             31       Substantially not covered.                                       1\n5     Encryption Settings                   24       Substantially not covered.                                       1\n6     Startup and Shutdown                  3        Not covered.                                                     0\n7     Backup and Recovery                    8       Generic statement concerning the creation of backup              3\n                                                     procedures, nothing specific.\n8     Oracle Profile \xe2\x80\x93 Setup Settings       14       Generic statement covering profile settings, specifics not       1\n                                                     identified.\n9     Oracle Profile \xe2\x80\x93 Access               59       Some permission restrictions are covered, but not to the        13\n      Settings                                       extent in CIS.\n10    Enterprise Manager                     6       Not covered.                                                     0\n11    10g Specific Settings                  4       Not Applicable for DMIS                                          0\n12    General Policy and Procedures         63       Some general database admin procedures covered.                 11\n13    Audit Policy and Procedures           23       Not covered.                                                     0\n14    Appendix A \xe2\x80\x93 Additional               14       Not covered.                                                     0\n      Settings\n                                           N/A       Other controls not specifically covered by CIS                   6\n\n\n\n\n                                                              17\n\x0c              Smithsonian Institution OIG                                                 FY2006 FISMA Review\n\n\n              Appendix B\n\n              Appendix B documents our comparison of the Institution\xe2\x80\x99s Windows 2003 baseline to an industry-accepted\n              Windows 2003 baseline. Where the Institution\xe2\x80\x99s baseline does not address controls in the industry-accepted\n              baseline we noted a deficiency.\n\n              Note \xe2\x80\x93 The controls columns identify how many controls each baseline addresses in each focus area.\n\nCIS Benchmark for Windows 2003 Domain                        Smithsonian OCIO: Security Settings for Windows 2003\nController                                                   baseline\n(Control totals reflect all listed settings, even the ones\nwhere a setting is not specified. These will automatically\npass unless the target baseline implements an insecure\nsetting)\n#      Area of Focus                         Controls        Deficiencies                                                  Controls\n1      Service Packs and Hotfix                  2           No deficiencies, the document describes how to                    2\n       Requirements                                          update the machine upon setup.\n2      Audit Policy                               9          Auditing Object Access is not defined.                             8\n3      Account Policy                              6         The minimum password age is set to 0 instead of 1.                 5\n4      Account Lockout Policy                      3         No deficiencies.                                                   3\n5      Event Log Settings                         12         No deficiencies.                                                  12\n6      Security Settings                          87         Several of the security settings were not defined,                59\n                                                             when they should have specific values defined.\n7      Services                                   39         Several services were not defined, specifically,                  2\n                                                             defining dangerous services to be disabled.\n8      User Rights                                39         Several user rights were not specifically defined. One            21\n                                                             of the defined user rights had inappropriate rights\n                                                             given to the Users group for \xe2\x80\x9cAllow logon through\n                                                             terminal services.\xe2\x80\x9d\n9      File Permissions                           27         Not covered.                                                      0\n10     Registry Permissions                       11         Not covered.                                                      0\n11     File and Registry Auditing                  3         Not covered (cannot be done without Auditing Object               0\n                                                             Access).\n\n\n\n\n                                                                  18\n\x0cSmithsonian Institution OIG           FY2006 FISMA Review\n\nAppendix C Management Response\n\n\n\n\n                                 19\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    20\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    21\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    22\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    23\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    24\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    25\n\x0cSmithsonian Institution OIG                  FY2006 FISMA Review\n\nAppendix C Management Response (continued)\n\n\n\n\n                                    26\n\x0c'